From an insurer’s perspective, 2021 proved to be a good vintage for case law helpful to defending data protection claims. Several High Court (1) decisions dealing with issues such as establishing de-minimis thresholds for damages and the availability of misuse of private information as a cause of action in cyber-attacks were all crowned at the end of the year by the Supreme Court’s judgment in Lloyd v Google, confirming compensation for distress required proof of damage. Together, those decisions somewhat dampened Claimant firms’ confidence in litigating modest data protection damages claims.
In 2023 we also saw a rise in cyber-attacks that resulted in the extortion of victims, but which did not feature ransomware, with the MOVEit breach being a high-profile example of this, at scale. With more organisations adopting secure back-ups and more threat actors using smash-and-grab tactics, we anticipate a continued increase in extortion without encryption attacks alongside ransomware threats to businesses and sectors with less mature security measures.
As we assess the position in 2024 and consider the future of (individually) low-value damages claims from data protection breaches, the claimant community might be hoping that 2021 represented the peak for case law favouring data controllers. At the coalface of dealing with these claims, we have observed a change in the tactics by claimant legal representatives over the past year, together with an increasing confidence to once again pursue litigation.
In response to a helpful run of High Court decisions that pointed towards the small claims track as being the most appropriate forum for the management of these claims, claimant legal representatives are increasingly obtaining expert evidence from a psychologist (or similar) and re-framing their claims from pure distress claims to personal injury claims. This appears to be designed, in part, to circumvent allocation to the small claims track, to enable legal costs to be recovered.
We expect this trend to continue and it carries several consequences for how such claims are managed. There are potential impacts to track allocation and the recoverability of costs, and also to the recoverability of ATE insurance premiums, pre-action protocols, limitation periods, and the adjustment of defence strategy in response, particularly in challenging expert medical evidence based on recent Supreme Court (2) authority.
We anticipate the trio of recent decisions from the European Court of Justice (3) (ECJ) on the scope of damages under Article 82 of GDPR will result in fresh challenges in the UK courts about the proper interpretation of UK GDPR and the appropriate compensation threshold (and also quantum). While collectively these ECJ decisions may be welcomed by claimants, it remains uncertain what, if any, impact they will have on domestic courts.
The cumulative costs of bulk third-party data breach claims following a cyber-incident will continue to be one of the largest risks for cyber insurers to manage, and with fresh legal challenges anticipated we expect further disruption on the horizon.
Final thoughts
The data and cyber security to-do list for 2024 looks as busy as ever, with the introduction of new laws containing security duties and breach notification obligations (4). We anticipate certain cyber attack trends to accelerate throughout 2024 including those attacks where the supply chain is used as the attack vector and also in attacks against cloud infrastructure. In addition, the technology arms race with threat actors will continue and we anticipate an increasing use of tools such as automation and AI in cyber attacks. This should provide a strong incentive for organisations to reassess their security posture and to critically review the suitability of their incident response plans, playbooks and simulations for 2024.
In our latest sector report, our experts delve into some of the key trends and themes we expect to influence the insurance sector during 2024.
1. Warren v DSG Retail Ltd [2021] EWHC 2168 Rolfe & Ors v Veale Wasbrough Vizards LLP [2021EWHC 2809 (QB) Johnson v Eastlight Community Homes [2021] EWHC 3069 (QB) Cleary v Marston (Holdings) Ltd [2021] EWHC 3809 (QB)
2. TUI UK Ltd v Griffiths [2023] UKSC 48
3. UI v Österreichische Post AG (Case C 300/21) Natsionalna agentsia za prihodite (Case C-340/21) ZQ v Medical Service of Health Insurance North Rhine (Case C-667/21)
4. Examples include: Digital Operational Resilience Act, NIS 2.0, Cyber Resilience Act, Product Security and Telecommunications Infrastructure Act, Telecommunications Security Act